jpp Posted January 31, 2007 Share Posted January 31, 2007 My mail server adds "[spam]" in the subject of spam messages (using spamcop and others lists). I can't correct them (too many messages: I use Okopipi on thunderbird to send them). the server adds headers too but I think I can leave them Should I send modified messages? I'm currently sending only unrecognized spam messages. Thanks Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 31, 2007 Share Posted January 31, 2007 When I used spamassassin, spamcop accepted the reports and there was no problem about the added tag in the subject line, but that was a while back. If you want to be sure, then you will have to email the deputies. Please come back here and report what they say. The only way that you can tell if the headers would upset the parser is to submit one and see (you don't have to send it if the parser gets confused). If the extra headers do cause a problem, then just submitting those spam that get through filters is a worthwhile activity because it may put them on the scbl and be identified in the future. Some people who do not have a lot of time on their hands to submit spam, only report those that make it past filters. Miss Betsy Link to comment Share on other sites More sharing options...
agsteele Posted January 31, 2007 Share Posted January 31, 2007 My mail server adds "[spam]" in the subject of spam messages (using spamcop and others lists). I can't correct them (too many messages: I use Okopipi on thunderbird to send them). the server adds headers too but I think I can leave them Should I send modified messages? I'm currently sending only unrecognized spam messages. This looks like a topic for lawyers but IANAL My understanding is that you should not materially change the headers of the spam as it arrives with you. On that basis I think you should be OK submitting the reports you refer to. The addition of the [spam] flag in the subject isn't a significant change and the extra header lines are added by one of the servers en route to you so they should be left in place. You should make sure your mailhosts are configured correctly to avoid reporting your own server(s). Andrew Link to comment Share on other sites More sharing options...
Farelf Posted January 31, 2007 Share Posted January 31, 2007 The proposition that programmic additions to subjects and X-line insertions etc made by AV application etc. were not material alterations to the spam was floated in a topic Don was following some time ago without direct comment from him FWIW (ISP filtering mail and marking spam messages, Do I report these messages?). What he did say was It sounds like you should be OK reporting those. As long as SpamAssassin is just adding informational headers and not changing the original spam headers to "localhost" info, SpamCop can find the true source of the spam. The fact that your server is altering the body text is irrelevant. The only modifications SpamCop policy forbids is material alterations by the user after he gets the spam. If you have any questions, send me email with the tracking URL from the top of the page when you process one of the spams and I'll be happy to take a look. - Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net I believe that answers the question - report freely jpp - email Don (as Miss Bestsy suggested) if you are in any doubt. Link to comment Share on other sites More sharing options...
C2H5OH Posted February 6, 2007 Share Posted February 6, 2007 The proposition that programmic additions to subjects and X-line insertions etc made by AV application etc. were not material alterations to the spam was floated in a topic Don was following some time ago without direct comment from him FWIW (ISP filtering mail and marking spam messages, Do I report these messages?). What he did say wasI believe that answers the question - report freely jpp - email Don (as Miss Bestsy suggested) if you are in any doubt. I've lately been seeing lots of Viagra spam with body text like this; ==========message start========= Hi, Vriagra 1,80 Crialis 3,00 Levritra 3,35 http://enounc.progenyid-com Important: Replace "-" with "." in the above link -- The fire, he now saw, had been lit in the grate. This surprised him. Then he stopped moving and listened intently, for a mans voice spoke within the room; it sounded timid and fearful. ==========message end============= Spamcop does its usual best with the headers and sends reports to the open proxy which sent the mail. However, the link is not found unless I do as bid and replace the - with . (sometimes it's a comma, or an ampersand, but always the dot before "com" is substituted.) Domain names vary too, but seem to be subject to the rotating DNS trick detailed in other threads here. Something else these Spams share, is the closing paragraph is always an extract from a Harry Potter story. Question - It it acceptable for me to insert the dot in the message body, so that Spamcop can try to find the spamvertised site? C2H5OH Link to comment Share on other sites More sharing options...
petzl Posted February 6, 2007 Share Posted February 6, 2007 Question - It it acceptable for me to insert the dot in the message body, so that Spamcop can try to find the spamvertised site? C2H5OH No you must leave the spam message as original as you can Once SpamCop has parsed the message. You can by either doing a tracert and/or a second SpamCop reporting page you get an IP and abuse address just put in "notes" box SPAMVERTIZED URL http://enounc.progenyid.com IP 58.61.152.101 ct-abuse[at]abuse.sprint.net abuse[at]gddc.com.cn anti-spam[at]ns.chinanet.cn.net I managed to get this creep kicked out of Russian Web space. It is now in Chinese We space and have so far reported it a few dozen times Then Chinese wonder why n one wants email from them? Link to comment Share on other sites More sharing options...
C2H5OH Posted February 6, 2007 Share Posted February 6, 2007 Thanks for that petzl. BTW, I've just noticed that the spam munging is changing from simply replacing that last dot, to inserting an exclamation mark in the domain name "remove to make link work". C2H5OH Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 6, 2007 Share Posted February 6, 2007 Thanks for that petzl. BTW, I've just noticed that the spam munging is changing from simply replacing that last dot, to inserting an exclamation mark in the domain name "remove to make link work". Any change to make the parser find something it normally would not is not allowed. Link to comment Share on other sites More sharing options...
AlphaCentauri Posted February 9, 2007 Share Posted February 9, 2007 But you can put the corrected email address in a blank spamcop submission form and hit "Process spam" to get the reporting address, then go to Preferences (top of browser window), Report Handling Options, then add the reporting address to the form at "Public standard report recipients." Reload the spam, and even though the spamcop parser won't recognize the email address with the exclamation point in it, it will still send a report to that address's ISP. Some of the ones I have run have traced to keyword.de, which refuses spamcop report, but some have gone to ISP's that seem to have pretty stringent acceptable use policies. I have to assume that if they are making potential customers go to extra trouble to link to their site, there is a good reason they don't want spamcop sending reports. You do have to re-trace the URL every time as they keep moving around. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.